Re: Authentication schemes
On Friday 27 April 2001 16:29, Stephane Bortzmeyer wrote: - Ability for owners of our hosted domains to administer their own user databases. Easy with LDAP, where ACLs are per-branch. But it means you need to study your scheme: we plan to have a branch per group of customers (we don't have individual customers). How do you implement ACLs per-branch? It seems to me that OpenLDAP only supports this through regular expressions which are very slow. If you have 1000 customers and each has a regular expression to determine the access rights then you'll probably get 2 LDAP reads per second out of high-end hardware! - Ability for any applicable account to be able to own a file in the file system with a globally unique UID/GID. Not every account would have this requirement, email-only accounts likely don't need to own any files. It costs nothing to give an UID to everyone (in 'woody', all the programs use 32-bits UID) so we plan to give it to everybody. You might as well allocate them a customer number as soon as they sign up. If that number ever becomes a UID is another issue... for the email side of it? Our webserver is Roxen (from source, not packaged), and we are using the IMHO plugin for web-based email. Unless we can't get this scheme to work with Roxen, we have no plans to change webserver software. We use Apache and LDAP authentication works fine. What exactly do you do with Apache and LDAP? LDAP authentication for WebDAV for uploads? -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Authentication schemes
On Sat, Apr 28, 2001 at 09:00:54AM +0200, Russell Coker [EMAIL PROTECTED] wrote a message of 49 lines which said: How do you implement ACLs per-branch? It seems to me that OpenLDAP only supports this through regular expressions which are very slow. If you have I did not try it yet but, according to the OpenLDAP Administrator's guide, you can use LDAP filters so, assuming company Foo is a customer, you can write (ou=Foo) in the access rule. We are still trying different LDAP schemas. Ours are driven by the fact that we do not have individual customers, but entities (each entity having several accounts, possibly with different priviledges). We use Apache and LDAP authentication works fine. What exactly do you do with Apache and LDAP? LDAP authentication for WebDAV for uploads? Not yet (we use FTP - with proftpd - for uploads, WebDAV is on the TODO list, as well as Zope, which can authenticate with LDAP). We only use Apache+LDAP for reading restricted directories (such as per-consumer stats). -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
An LDAP authentication howto for Debian?
Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Authentication schemes
On Friday 27 April 2001 16:29, Stephane Bortzmeyer wrote: - Ability for owners of our hosted domains to administer their own user databases. Easy with LDAP, where ACLs are per-branch. But it means you need to study your scheme: we plan to have a branch per group of customers (we don't have individual customers). How do you implement ACLs per-branch? It seems to me that OpenLDAP only supports this through regular expressions which are very slow. If you have 1000 customers and each has a regular expression to determine the access rights then you'll probably get 2 LDAP reads per second out of high-end hardware! - Ability for any applicable account to be able to own a file in the file system with a globally unique UID/GID. Not every account would have this requirement, email-only accounts likely don't need to own any files. It costs nothing to give an UID to everyone (in 'woody', all the programs use 32-bits UID) so we plan to give it to everybody. You might as well allocate them a customer number as soon as they sign up. If that number ever becomes a UID is another issue... for the email side of it? Our webserver is Roxen (from source, not packaged), and we are using the IMHO plugin for web-based email. Unless we can't get this scheme to work with Roxen, we have no plans to change webserver software. We use Apache and LDAP authentication works fine. What exactly do you do with Apache and LDAP? LDAP authentication for WebDAV for uploads? -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
RE: Apache and multiple virtual domains
Hi! You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Authentication schemes
On Sat, Apr 28, 2001 at 09:00:54AM +0200, Russell Coker [EMAIL PROTECTED] wrote a message of 49 lines which said: How do you implement ACLs per-branch? It seems to me that OpenLDAP only supports this through regular expressions which are very slow. If you have I did not try it yet but, according to the OpenLDAP Administrator's guide, you can use LDAP filters so, assuming company Foo is a customer, you can write (ou=Foo) in the access rule. We are still trying different LDAP schemas. Ours are driven by the fact that we do not have individual customers, but entities (each entity having several accounts, possibly with different priviledges). We use Apache and LDAP authentication works fine. What exactly do you do with Apache and LDAP? LDAP authentication for WebDAV for uploads? Not yet (we use FTP - with proftpd - for uploads, WebDAV is on the TODO list, as well as Zope, which can authenticate with LDAP). We only use Apache+LDAP for reading restricted directories (such as per-consumer stats).
Re: Apache and multiple virtual domains
On Saturday 28 April 2001 12:13, Marcelo Gulin wrote: You can use suEXEC mechanism to do that job. suEXEC wrapper allow run CGI SSI under different UIDs My impression is that suEXEC only works for explicit user home directories wheras cgiwrap works with URLs that map to something equating a home directory and then runs them under whichever UID it finds. I'll have to check this more though. Also suEXEC doesn't seem to have any facilities for limiting the CPU usage, memory, etc for processes it runs. cgiwrap has this hard coded but it's still better than nothing. cheers marcelo gulin - Original Message - From: Marcel Hicking [EMAIL PROTECTED] To: debian-isp@lists.debian.org Sent: Friday, April 27, 2001 3:44 AM Subject: Re: Apache and multiple virtual domains What I want to do is have multiple virtual hosts with each virtual host having a different UID for running CGI-BIN scripts. http://cgiwrap.unixtools.org/ CGIWrap is a gateway program that allows general users to use CGI scripts and HTML forms without compromising the security of the http server. Scripts are run with the permissions of the user who owns the script. In addition, several security checks are performed on the script, which will not be executed if any checks fail. Since scripts uploaded via FTP will be owned by your customers UID, they should then run under his UID. I am not sure, however, if you could get the whole apache subprocess to be run under a different UID this way, but then I am not sure if this would give additional security or other advantages. BTW. I've seen some descriptions on how to set up CGIwrap transparently so your customers whouldn't even notice CGIwrap is running. Something with setting up a handler for file extensions. Maybecheck the tips and tricks page http://cgiwrap.unixtools.org/tricks.html on this as well as for some nice mod_rewrite rules ;-) Cheers, Marcel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page
An LDAP authentication howto for Debian?
Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? I've been pondering the idea of using a central LDAP database for authentication for awhile now, but I'm sort of lost after installing the necessary PAM stuff. Thanks. -jg -- Jeremy L. Gaddis [EMAIL PROTECTED] Go away or I will replace you with a very small shell script.
Re: An LDAP authentication howto for Debian?
quote who=Jeremy L. Gaddis Out of curiousity, has anyone come across a sort of LDAP authentication howto for Debian? The LDP has a perfectly good set of documents already; there's no need to duplicate the good work already done by them. A Debian-specific section may be of use, however there's nothing all that different (apart from Debian being set up sanely to begin with). - Jeff -- Is Murphy's Law constitutional?